Systems and methods for context-sensitive data security for business application performance optimization

ABSTRACT

Described herein are systems and methods for providing context-sensitive data security, for business application performance optimization. In accordance with an embodiment, the system can be used together with a Role Based Access Control model. Data security predicates can be made context-sensitive, by taking into account the context in which an end-user is navigating an application. By providing context-sensitive data security in this manner, the complexity of database queries can be reduced, and the underlying relational database management system can create better-optimized execution plans.

CLAIM OF PRIORITY

This application claims the benefit of priority to U.S. Provisional Patent Application titled “SYSTEMS AND METHODS FOR CONTEXT-SENSITIVE DATA SECURITY FOR BUSINESS APPLICATION PERFORMANCE OPTIMIZATION”, Application No. 61/808,705, filed Apr. 5, 2013; which application is herein incorporated by reference.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.

FIELD OF INVENTION

Embodiments of the invention are generally related to data security, and are particularly related to systems and methods for providing context-sensitive data security for business application performance optimization.

BACKGROUND

The importance of data security in enterprise business applications has risen sharply in recent years, particularly in view of newer regulations regarding data privacy, and the increased popularity of cloud-based environments. Controlling who has access to a particular set of data in a business application environment is a key concern while implementing security in such environments.

One of the common means of controlling data access is Role Based Access Control (RBAC), which has become a de facto industry standard, and which has been adopted and implemented by many business application vendors.

However, although there has been much research directed to the implementation and security benefits of RBAC, there has been less research on the impacts of such a data security model on the performance and scalability of business applications. Many commercial business applications use a relational database at the back-end, with processing of data managed through structured query language (SQL) queries. The performance of such SQL queries often dictates the performance and scalability of the application, among other factors.

SUMMARY

Described herein are systems and methods for providing context-sensitive data security, for business application performance optimization. In accordance with an embodiment, the system can be used together with a Role Based Access Control model. Data security predicates can be made context-sensitive, by taking into account the context in which an end-user is navigating an application. By providing context-sensitive data security in this manner, the complexity of database queries can be reduced, and the underlying relational database management system can create better-optimized execution plans.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates an environment which can be used to provide access to a relational database management system using data security predicates.

FIG. 2 further illustrates an environment that can provide access to a database using data security predicates.

FIG. 3 illustrates a generic form of a database query generated at run-time using data security predicates.

FIG. 4 illustrates a system for providing context-sensitive data security, including capturing and processing context to generate context-sensitive data security predicate sub-queries, in accordance with an embodiment.

FIG. 5 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment.

FIG. 6 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment.

FIG. 7 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment.

FIG. 8 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment.

FIG. 9 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment.

FIG. 10 illustrates an example of how a context-processor can be implemented using a generic algorithm, in accordance with an embodiment.

FIG. 11 is a flowchart of a method for providing context-sensitive data security, in accordance with an embodiment.

FIG. 12 is another flowchart of a method for providing context-sensitive data security, in accordance with an embodiment.

FIG. 13 illustrates an example of a “My Leads” query prior to or without context processing.

FIG. 14 illustrates an example of context-sensitive “My Leads” query after context processing, in accordance with an embodiment.

DETAILED DESCRIPTION

As described above, the importance of data security in business applications has risen sharply in recent years, particularly in view of newer regulations regarding data privacy, and the increased popularity of cloud-based environments. Controlling who has access to a particular set of data in a business application environment is a key concern while implementing security in such environments.

Described herein are systems and methods for providing context-sensitive data security, for business application performance optimization. In accordance with an embodiment, the system can be used together with a Role Based Access Control (RBAC) model. Data security predicates (DSP) can be made context-sensitive, by taking into account the context in which an end-user is navigating an application. By providing context-sensitive data security in this manner, the complexity of database queries can be reduced, and the underlying relational database management system can create better-optimized execution plans.

Introduction

As described above, although there has been much research directed to the implementation and security benefits of RBAC, there has been less research on the impacts of such a data security model on the performance and scalability of business applications. Many commercial business applications use a relational database at the back-end, with processing of data managed through structured query language (SQL) queries. The performance of such SQL queries often dictates the performance and scalability of the application, among other factors.

Some contemporary approaches to data security use RBAC together with DSPs, in the form of SQL language WHERE clauses, to access data in the database. However, such approaches typically rely on several DSP sub-queries being OR-ed together and appended to a main SQL query, which negatively affects database query performance.

Additionally, although RBAC-based data security may not have huge performance impacts when each user has only a single defined role, performance degradations start to arise when users have multiple roles in an enterprise, and have access to data via many different DSP sub-queries.

For example, a sales manager using a Customer Relationship Management (CRM) application could have multiple roles, and implicit roles, through group memberships and hierarchy. Based on these roles, the sales manager's access to data would be controlled by a union of all the DSPs, which may sometimes overlap.

Such performance problems are further exacerbated by the fact that modern business applications typically have a very complex data model, with the data stored in many different database tables. Accessing such data even without DSPs often results in complex SQL queries, the performance of which is a challenge by itself. Appending of RBAC-based DSPs to complex dynamically generated SQL queries often results in poor performance at the database.

Data Security Predicates

FIG. 1 illustrates an environment which can be used to provide access to a relational database management system using data security predicates.

As shown in FIG. 1, in some business application environments, such as a typical Oracle Fusion Applications environment, data visibility is controlled through RBAC. Users are granted one or more roles and, when a user has multiple roles, RBAC ensures that the user's access is the union of all granted roles.

For example, as shown in FIG. 1, in a typical data security environment 50 that includes a database 52 with user data stored in tables 54, and a middleware 55, a user 56 can make an access request 57 to a business application 58, for example to query or update information in the database as part of a business flow. Typically, the user is associated with one or more defined job or duty roles 60. The role-based access request 62 is received by a security framework 64 at the middleware, which determines 66 appropriate DSPs stored in a central grants table in the database. The middleware security framework then uses this information to select DSP sub-queries to be OR'ed together 67, and appended to a main SQL query, which is/are then processed against the database to generate a result 68 (e.g., a resultset).

FIG. 2 further illustrates an environment that can be used to provide access to a database using data security predicates. As shown in FIG. 2, the security framework ensures that, at run-time, any required instance sets are put together based on the grants for the defined job and duty roles. For example, at run-time, when a user logs into the application, and begins to use business flows which require SQL queries to be sent to the back-end database, the union of that user's roles is determined 70, and all of the user's accessible DSP sub-queries are provided 74, 76 to the security framework, and are then OR-ed together and appended to the main SQL query 80. The resultant (i.e., main plus the OR'ed DSPs) query is then communicated 82 to the database for execution. If a user defines an additional search criteria, this can be appended as an IN or EXISTS sub-query to the main SQL query

FIG. 3 illustrates a generic form of a database query 90 generated at run-time using data security predicates, illustrating how multiple DSP sub-queries (in this example, DSP_Sub-Query-1, DSP_Sub-Query-2, etc.) are OR-ed together and appended to a main SQL query, to provide a resultant query for execution against the database.

However, the implementation of RBAC through the use of OR'ed DSP sub-queries as described above can result in poor system performance. For example, when a relational database cost-based optimizer (CBO) is used, the CBO may be unable to find an optimal execution plan based on the use case scenario being executed. A problem is that the DSP sub-queries may be written in many different forms—for example, some using EXISTS, some using IN, some using a combination of EXISTS and IN, and others using UNION or Nested-Sub-Queries. The problem is further compounded by the fact that the DSP sub-queries may reference a wide range of different, e.g., tables, or views, including hierarchical ones that make these sub-queries extremely complex. Given the SQLs' complexity and size, with many EXISTS and OR'ed DSP sub-queries, the CBO often has trouble handling the complex transformations and costing of such SQLs, and this has a considerable impact on their performance.

In many situations, the application and security framework does not make any allowance for the context in which the user is executing the SQL. For example, when a logged-in user switches context in their application to view his/her marketing leads, the SQL generated by the framework at run-time may append all of the OR'ed data security predicates to the SQL that the user's job/duty role has access to, based on the RBAC model that a user's data visibility is controlled by the union of all grants. It may not matter that the user was looking to find only the data for leads in which he/she was the owner, as controlled by owner_id column, and that this column was already the main filtering predicate in the main SQL query, making the evaluation of all the DSP sub-queries redundant. As a result, the CBO would need to evaluate (and typically materialize) all of the rows that the user was entitled to see, only to discard many later in the execution plan, and keep only the rows that the user wanted to view.

Additionally, for many use cases, the use-case sub-query appended dynamically to the SQL at run-time, has an equivalent DSP sub-query. This reflects the fact that the rows that qualify using the business flow search sub-query are essentially a sub-set of the rows that qualify from the UNION of all the OR'ed DSP sub-queries of the RBAC framework; and indicates that the DSP sub-queries may be logically redundant in many use cases. In business applications that use RBAC DSP sub-queries to control data visibility, the underlying relational database's CBO faces a dilemma—the so-called “Tiny-Huge, Huge-Tiny” problem in which to decide whether to drive from the main outer query, or drive from the RBAC-based DSP sub-queries, based on an estimate of which one will be more restrictive in terms of the number of qualifying rows. There are many factors that can influence the CBO's decision and the performance of dynamically generated SQL queries, which makes this a difficult estimation.

Context-Sensitive Data Security

In accordance with an embodiment, described herein are systems and methods for providing context-sensitive data security, for business application performance optimization.

As used herein, the term “context-sensitive” is generally used instead of “context-aware”, to describe aspects of a business application user's context that have a direct bearing on the performance of SQLs and thereby on applications that use RBAC. As such, a context-sensitive RBAC architecture is not only context-aware, but can also make use of such context awareness to take certain actions that may significantly improve the performance of the SQL queries, and as a result improve the performance and scalability of the application.

In accordance with an embodiment, given the many factors affecting performance of SQLs that get appended with multi-role RBAC-based DSP sub-queries, the system enables making the data security context-sensitive at run-time. The system can achieve this by using context information to filter the row-set that would result from the union of all the DSP sub-queries, such as simplifying the SQL being sent to the database for execution; and by restricting the row-set processing to what the user wishes to retrieve, thereby removing inefficiencies in the execution process.

FIG. 4 illustrates a system for providing context-sensitive data security, including capturing and processing context to generate context-sensitive data security predicate sub-queries, in accordance with an embodiment.

As shown in FIG. 4, in accordance with an embodiment, a context-sensitive data security environment 100 can include a computer hardware 101 (such as a processor, and storage components), a database 102 with user data stored in tables 104, and a middleware 106. A user 116 can make an access request 118 to a business application, for example to query or update information in the database as part of a business flow, wherein the user is associated with one or more job or duty roles 120. The role-based access request is received by a security framework 108 at the middleware, which determines appropriate DSPs stored in a central grants table 136 in the database.

As further shown in FIG. 4, in accordance with an embodiment, the context-sensitive data security environment also includes a context-capture module 114, which resides on the user interface layer 112 of the business application. The function of the context-capture module is to follow a logged-in user's actions and capture the context attributes up to the point where the user action starts the processing of their request to access data from the underlying relational database. These context attributes may be purely physical attributes such as geographic location, or may directly correspond to the user's desire to access a specific set of data based on the role and responsibilities being exercised for the particular use case.

In accordance with an embodiment, user-driven context attributes may be filter predicates that map to a table's columns in the underlying database, or they could be the user's desire to be acting in a certain job or duty role at that moment. Several application development frameworks provide a means of including such a context-capture module; for example, Oracle Application Development Framework (ADF) provides a Contextual Event Framework with appropriate listeners that can be used to capture binding attributes, actions and events from the user interface.

In accordance with an embodiment, the context-processor 110 resides in the middle tier of the business application or application server as part of the security framework 108. The context-processor takes two inputs: the context attributes captured from the user interface by the context-capture module; and the complete set of DSP sub-queries from the database that are applicable to the current user which are obtained through the RBAC security framework.

For example, consider the scenario where a user has been granted multiple roles that authorize data access from a variety of access paths. The user, while navigating the application, may decide that for that particular user interface flow, he/she would like to see data returned only for one specific role they are working on at the moment. In this situation, the context-processor can use this context attribute to parse the DSP sub-queries to identify which one of these corresponds to the user's desire to be in a particular role for that moment. After identifying the one DSP sub-query, the context-processor can strip out the remaining DSP sub-queries which are redundant to the user's request.

There may be situations where more than one context attribute would need to be processed. In these situations, in accordance with an embodiment, the context-processor can process all the captured context attributes to generate a context-sensitive SQL that is then processed in the normal way. The context-sensitive SQL thus generated has all the data security redundancies removed, and has additional predicates added to the DSP sub-queries. This action addresses the problem of SQL size and complexity and consequently the CBO's ability to generate optimized and stable execution plans, thereby resulting in better performance of the SQL. In short, the context-processor can be used to process the context attributes and apply these intelligently on the DSP sub-queries to produce context-sensitive SQLs.

FIG. 5 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 5, when the user interacts with the application user interface, the context-capture module captures context attributes 115, to be used in conjunction with a role-based access request 128, to determine appropriate DSPs 130.

FIG. 6 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 6, the context-capture module captures 132 and passes 134 the user's context attributes to the context-processor in the security framework.

FIG. 7 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 7, the user's applicable DSP sub-queries are fetched 138 from the database, and are input 140 to the context-processor by the security framework

FIG. 8 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 8, the context-processor uses the context-sensitive information provided by the context-capture module to generate context-sensitive DSP sub-queries 142, and generate or modify a SQL with the context-sensitive DSP sub-queries, thus simplifying the SQL being sent to the database for execution, and restricting the row-set processing to the current context. The query is then sent 144 to the database for processing.

FIG. 9 further illustrates a system for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 9, when the SQL with the context-sensitive DSP sub-queries has been processed against the database, a context-sensitive result (e.g., resultset) is returned 146 from the database to the user interface, where it can then be used to respond 148 to the user.

FIG. 10 illustrates an example of how a context-processor can be implemented using a generic algorithm, in accordance with an embodiment. As shown in FIG. 10, the final context-sensitive SQL 150 thus generated is simpler, smaller in size and has better performance when compared to the existing SQL.

FIG. 11 is a flowchart of a method for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 11, at step 152, a context-sensitive data security environment is provided, including middleware with a security framework and context-processor, which provides access to a database with data security predicate (DSP) sub-queries in a grants table.

At step 154, a business application is configured with an application user interface and a context-capture module.

At step 158, the system captures and passed context attributes to the context-processor in the security framework.

At step 160, applicable DSP sub-queries are fetched from the database and are provided as input to the context-processor.

At step 162, the context-processor generates context-sensitive DSP sub-queries, and a SQL query with the context-sensitive DSP sub-queries, which is/are then sent to the database for processing.

FIG. 12 is another flowchart of a method for providing context-sensitive data security, in accordance with an embodiment. As shown in FIG. 12, at step 166, a business application user is granted one or multiple roles that authorize data access from a variety of access paths in a user interface.

At step 168, the user can, while navigating the application, request that for a particular flow, data be returned for a particular role.

At step 170, the context-processor uses the particular role as a context attribute to parse DSP sub-queries, and to identify one or more DSP sub-query that corresponds to the user's particular role and context.

At step 172, after identifying the one or more DSP sub-query that corresponds to the user's particular role and context, the context-processor strips out remaining DSP sub-queries which are redundant to the user's request.

At step 174, optionally, if more than one context attribute is to be processed, the context-processor processes all of the captured context attributes, to generate a context-sensitive SQL that can then be processed against the database, including additional predicates added to the DSP sub-queries.

In accordance with an embodiment, the above techniques can be used with software products such as Oracle Fusion Applications together with an Oracle 11gR2 database, or other business application, middleware, and database software products.

In such environments, and using an approach as described above, considerable performance benefits can be seen, for example, in SQL response time, buffer gets, hard parse time, and shared memory utilization. Simplification of the DSP sub-queries can also improve the hard parse time of context-sensitive SQLs.

Illustrative Examples

By way of an example to illustrate the above, consider a situation in which one of the context attributes captured by the context-capture process and passed to the context-processor is the creation date of an object that relates to a column in a table in the database, and the user is interested in a row set that corresponds to a specific value or a range of values for creation date. The user may wish to see only the records that are directly owned by him/her, rather than all of the records to which the user has access to via the union all of their RBAC sub-queries.

In such a situation, in accordance with an embodiment, the context-processor can create context sensitive security by first, parsing all the DSP sub-queries to check where all this creation date is applicable and add it as an additional filter predicate to the affected DSP sub-queries; and then, based on the context, stripping out those DSP sub-queries that are not required but that are added by the RBAC security framework.

For example, FIG. 13 illustrates an example of such a “My Leads” query 180 prior to or without context processing; while FIG. 14 illustrates an example of a context-sensitive “My Leads” query after context processing 190, in accordance with an embodiment.

As shown in FIG. 14, in this example, the context-processor retains only the contextually applicable DSP sub-query, stripping out the remaining ones. In addition, the context predicate CREATION_DATE is added as an additional filter predicate to the retained DSP sub-query.

By way of further example, consider a situation in which a user has been granted multiple roles that authorize data access from a variety of access paths. The user, while navigating the application, may decide that for that particular user interface flow, he/she would like to see data returned only for one specific role they are working on at the moment.

In such a situation, in accordance with an embodiment, the context-processor can use this context attribute to parse the DSP sub-queries to identify which one of these corresponds to the user's desire to be in a particular role for that moment. After identifying that one DSP sub-query, the context-processor can strip out the remaining DSP sub-queries which are redundant to the user's request.

There may be situations where more than one context attribute would need to be processed. In these situations, in accordance with an embodiment, the context-processor can process all the captured context attributes to generate a context-sensitive SQL that can then be processed in the normal way. The context-sensitive SQL thus generated would have all the data security redundancies removed and would have additional predicates added to the DSP sub-queries. This action addresses the problem of SQL size and complexity, and consequently the CBO's ability to generate optimized and stable execution plans, thereby resulting in better performance of the SQL.

As described above, the importance of data security in enterprise business applications has risen sharply in recent years, particularly in view of newer regulations regarding data privacy, and the increased popularity of cloud-based environments. In accordance with various embodiments, the systems and methods described above can be used in such environments.

For example, in accordance with an embodiment, context attributes may be purely physical attributes such as geographic location, or may directly correspond to the user's desire to access a specific set of data based on the role and responsibilities being exercised for the particular use case. The use of physical attributes, such as a user or data location, may be important in some embodiments in the context of where the user is located and where the data is located that the user is trying to access. For example, due to privacy regulations in Europe, personal data residing in a database in Europe may not be intended to be accessed by users located in the United States of America. In accordance with an embodiment, such physical attributes can be taken into account and processed by the context-processor.

The present invention may be conveniently implemented using one or more conventional general purpose or specialized digital computer, computing device, machine, or microprocessor, including one or more processors, memory and/or computer readable storage media programmed according to the teachings of the present disclosure. Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art.

In some embodiments, the present invention includes a computer program product which is a non-transitory storage medium or computer readable medium (media) having instructions stored thereon/in which can be used to program a computer to perform any of the processes of the present invention. The storage medium can include, but is not limited to, any type of disk including floppy disks, optical discs, DVD, CD-ROMs, microdrive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.

The foregoing description of the present invention has been provided for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations will be apparent to the practitioner skilled in the art. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, thereby enabling others skilled in the art to understand the invention for various embodiments and with various modifications that are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalence. 

What is claimed is:
 1. A system for context-sensitive data security for business application performance optimization, comprising: a computer including a processor; a context capture module that captures context attributes associated with a user interaction with a business application; and a context processor that receives as input the context attributes, and a set of one or more data security predicate (DSP) sub-queries applicable to the user, and applies the context attributes to the DSP sub-queries to produce a context-sensitive query.
 2. The system of claim 1, wherein the system includes an application user interface, and wherein the context capture module captures context attributes associated with the user interacting with the user interface as part of a business flow.
 3. The system of claim 1, further comprising a security framework that determines, based on the user's role and a current context, the set of DSP sub-queries applicable to the user, and provides the set of DSP sub-queries to the context processor in response to the user interaction.
 4. The system of claim 3, wherein the context-sensitive query is communicated to a database as a query that includes context-sensitive DSP sub-queries.
 5. The system of claim 4, wherein the context-sensitive query is a structured query language (SQL) query which includes the context-sensitive DSP sub-queries, and which is communicated to the database to generate a response to the user interaction.
 6. The system of claim 1, wherein the system is used within an environment that includes the business application, or a cloud-based or other type of computing environment.
 7. A method for context-sensitive data security for business application performance optimization, comprising: providing a context capture module that captures context attributes associated with a user interaction with a business application; and providing a context processor that receives as input the context attributes, and a set of one or more data security predicate (DSP) sub-queries applicable to the user, and applies the context attributes to the DSP sub-queries to produce a context-sensitive query.
 8. The method of claim 7, wherein the system includes an application user interface, and wherein the context capture module captures context attributes associated with the user interacting with the user interface as part of a business flow.
 9. The method of claim 7, further comprising a security framework that determines, based on the user's role and a current context, the set of DSP sub-queries applicable to the user, and provides the set of DSP sub-queries to the context processor in response to the user interaction.
 10. The method of claim 9, wherein the context-sensitive query is communicated to a database as a query that includes context-sensitive DSP sub-queries.
 11. The method of claim 10, wherein the context-sensitive query is a structured query language (SQL) query which includes the context-sensitive DSP sub-queries, and which is communicated to the database to generate a response to the user interaction.
 12. The method of claim 7, wherein the method is used within an environment that includes the business application, or a cloud-based or other type of computing environment.
 13. A non-transitory computer readable medium, including instructions stored thereon which when read and executed by one or more computers cause the one or more computers to perform the steps comprising: providing a context capture module that captures context attributes associated with a user interaction with a business application; and providing a context processor that receives as input the context attributes, and a set of one or more data security predicate (DSP) sub-queries applicable to the user, and applies the context attributes to the DSP sub-queries to produce a context-sensitive query.
 14. The non-transitory computer readable medium of claim 13, wherein the system includes an application user interface, and wherein the context capture module captures context attributes associated with the user interacting with the user interface as part of a business flow.
 15. The non-transitory computer readable medium of claim 13, further comprising a security framework that determines, based on the user's role and a current context, the set of DSP sub-queries applicable to the user, and provides the set of DSP sub-queries to the context processor in response to the user interaction.
 16. The non-transitory computer readable medium of claim 15, wherein the context-sensitive query is communicated to a database as a query that includes context-sensitive DSP sub-queries.
 17. The non-transitory computer readable medium of claim 16, wherein the context-sensitive query is a structured query language (SQL) query which includes the context-sensitive DSP sub-queries, and which is communicated to the database to generate a response to the user interaction.
 18. The non-transitory computer readable medium of claim 13, wherein the steps are performed within an environment that includes the business application, or a cloud-based or other type of computing environment. 